The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,225 other subscribers
«
»

Restart Windows explorer with an UAC administrator token

Posted by jpluimers on 2023/05/10

Sometimes, you want to restart the Windows explorer. This is already an exception case which you want to do when explorer hangs (for instance when taskbar icons do not respond any more), or has files locked which need to be modified. I described the latter in Inno Setup: Program Folder not showing up In Start > All Programs , with this very simple restart script:

taskkill /F /IM explorer.exe
start explorer

Even more exception is wanting to run explorer with a UAC elevated administrative token. I sometimes do this when moving around stuff from other users on the same computer without having them logged on (as that would lock the files or directories to be moved around).

The risk of running explorer under UAC elevation, is that any program you start will also start UAC elevated, so beware what you ask for…

This is how you start explorer under UAC elevation:

pwsh.exe -nol -noni -nop -w hidden -c "taskkill /f /im explorer.exe; start explorer -v runas -a /nouaccheck"

or if you run an older Windows version of PowerShell:

PowerShell.exe -nol -noni -nop -w hidden -c "taskkill /f /im explorer.exe; start explorer -v runas -a /nouaccheck"

These command-line options and verbs are used:

Time to explain a few:

* -WindowStyle Hidden

Having a hidden Window actually serves two purposes. First of all, it prevents flashing the short console while killing and restarting explorer. That would also work with the -NoNewWindow option. That brings us to the second reason for having a hidden Window:

We also require runas (for reasons explained below), and runas needs a Window handle to operate on. [Wayback/Archive] Verb RunAs in a Start-Process Powershell command causes an error – Stack Overflow and [Wayback/Archive] Are these parameters incompatibles? explain the incompatibility and why –WindowStyle Hidden is needed as the alternative -NoNewWindow cannot be used.

** runas

runas is a verb what Start-Process in the end passes on to the [Wayback/Archive] ShellExecuteA function (shellapi.h) – Win32 apps | Microsoft Docs (or likely even the [Wayback/Archive] ShellExecuteExA function (shellapi.h) – Win32 apps | Microsoft Docs) which ultimately launches the new process. The runas is passed as lpVerb in the structure [Wayback/Archive] SHELLEXECUTEINFOA (shellapi.h) – Win32 apps | Microsoft Docs.

When runas is passed as verb, then ShellExecute does the UAC to an administrative token magic as per [Wayback/Archive] Launching Applications (ShellExecute, ShellExecuteEx, SHELLEXECUTEINFO) – Win32 apps | Microsoft Docs:

Commonly available verbs include:
TABLE 1
Verb Description
edit Launches an editor and opens the document for editing.
find Initiates a search starting from the specified directory.
open Launches an application. If this file is not an executable file, its associated application is launched.
print Prints the document file.
properties Displays the object’s properties.
runas Launches an application as Administrator. User Account Control (UAC) will prompt the user for consent to run the application elevated or enter the credentials of an administrator account used to run the application.

A small Windows API elevation example is at [Wayback/Archive] Elevate through ShellExecute | Microsoft Docs.

A PowerShell example is at [Wayback/Archive] Launch Elevated PowerShell Shell – Scripting Blog which even has a sudo alias:

Function Start-ElevatedPowerShell
{
 Start-Process PowerShell -Verb runas
}
Set-Alias -Name sudo -Value Start-ElevatedPowerShell | Out-Null

You could generalise this even further than [Wayback/Archive] V2 Quick Tip: Starting a new elevated process from a PowerShell script – PowerShell Team by restarting your own process and passing it enough context (for instance by appending all command-line parameters).

Unlike the runas command, the runas verb will started the new process elevated. The runas command needs a specific user parameter to elevate.

Note that doing the opposite (from elevated to non-elevated) is harder as described by [Wayback/Archive] How can I launch an unelevated process from my elevated process and vice versa? – The Old New Thing.

Back to SHELLEXECUTEINFO: the .NET equivalent that Start-Process uses is the [Wayback/Archive] ProcessStartInfo Class (System.Diagnostics) | Microsoft Docs. It has a [Wayback/Archive] ProcessStartInfo.Verb Property (System.Diagnostics) | Microsoft Docs where the runas verb is passed. But it also has a [Wayback/Archive] ProcessStartInfo.Verbs Property (System.Diagnostics) | Microsoft Docs.

That one is used to list the allowable verbs for an executable using the small bit of code in [Wayback/Archive] #PSTip Explore values that can be used with Start-Process’s -Verb parameter:

PS> $processInfo = New-Object System.Diagnostics.ProcessStartInfo -ArgumentList "test.exe"
PS> $processInfo.Verbs
open
runas
runasuser

Note that in the -ArgumentList, the name of the executable does not even matter: as long is it is an executable, then the verbs list is being retrieved.

The verbs are retrieved from the registry subkeys under HKEY_CLASSES_ROOT\exefile\shell, which you can also query using reg.exe:

C:\temp>reg query HKEY_CLASSES_ROOT\exefile\shell

HKEY_CLASSES_ROOT\exefile\shell\open
HKEY_CLASSES_ROOT\exefile\shell\runas
HKEY_CLASSES_ROOT\exefile\shell\runasuser

When HKEY_CLASSES_ROOT\exefile\shell gets damaged, it is possible that you cannot start executables from the shell any more (including from the Windows explorer), as explained by [Wayback/Archive] Cannot open EXE files – Windows Server | Microsoft Docs.

*** NoUACCheck

Unlike he also undocumented explorer.exe switches below, /NoUACCheck is sort of documented by the public:

  • [Wayback/Archive] What’s “CreateExplorerShellUnelevatedTask” ? Solved – Windows 10 Forums

    The CreateExplorerShellUnelevatedTask task prevents Explorer from running elevated.

    In Windows 10, any attempt to start Explorer with elevation switch seems to get intercepted by Windows and a CreateExplorerShellUnelevatedTask task is created and run instead. Because the task is configured to run with the lowest privileges, Explorer never gets run with elevation.

    When Explorer is executed with the ‘/nouaccheck’ switch the CreateExplorerShellUnelevatedTask task is ignored and Explorer is launched conventionally, it’s elevated status inherited from the process that started it, as expected.

  • [Wayback/Archive] CreateExplorerShellUnelevatedTask – server 2016/19 : sysadmin
    The CreateExplorerShellUnelevatedTask task prevents Explorer from running elevated.
    In Windows, any attempt to start Explorer with elevation switch seems to get intercepted by Windows and a CreateExplorerShellUnelevatedTask task is created and run instead. Because the task is configured to run with the lowest privileges, Explorer never gets run with elevation.
    When Explorer is executed with the ‘/nouaccheck’ switch the CreateExplorerShellUnelevatedTask task is ignored and Explorer is launched conventionally, it’s elevated status inherited from the process that started it, as expected.
  • [Wayback/Archive] How to Run File Explorer Elevated | Windows OS Hub

    Or you can start a new privileged explorer process from Task Manager -> File -> Run New Task -> explorer.exe /nouaccheck (be sure to check the option “Create this task with administrative privileges”).

Still undocumented explorer.exe switches (some mentioned at [Wayback/Archive] QuickPost – publishing Windows Explorer in Citrix and RDSH – JAMES-RANKIN.COM and [Wayback/Archive] Explorer command line switches? – Super User):

  • /existinguser
  • /Explorer
  • /LOADSAVEDWINDOWS
  • /Factory
  • /IDLIST
  • /NoShellRegistrationCheck
  • /NoShellRegistrationAndUACCheck
  • /oobe
  • /oobetransition
  • /recycle
  • /RunFirstLogonAnim
  • /SEPARATE
  • /source LogonTask
  • /Run6432
  • /toast
  • /turn
  • /zbe

How this started

Some messages from the Twitter thread that started all this:

Search queries used:

–jeroen

 

In case you ever need to restart explorer.exe as an elevated user on Windows, you can create a *.cmd file or a shortcut with this line: “C:Program FilesPowerShell7pwsh.exe” -nol -noni -nop -w hidden -c “taskkill /f /im explorer.exe; start explorer -v runas -a /nouaccheck”

-nol -NoLogo
-noni -NonInteractive
-nop -NoProfile
-w -WindowStyle
-c -Command
-v -Verb
-a -ArgumentList
start Start-Process

See `pwsh /?`, `taskkill /?`.

This entry was posted on 2023/05/10 at 12:00 and is filed under Batch-Files, CommandLine, Development, Power User, PowerShell, PowerShell, Scripting, Software Development, Windows, Windows 10, Windows 11, Windows 7, Windows 8.1. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»
 
%d bloggers like this: